Preemptive event handling

ABSTRACT

A computerized method of preemptive event handling, The method comprises monitoring, in run time at kernel level, a plurality of events of a plurality of processes executed by an operating system (OS) running on a computing device, detecting, in run time, a first event of the plurality of events, the first event being performed by a first process of the plurality of processes on the computing device, classifying, in run time, the first process as a malware in response to the detection of the first event, and preventing, in run time, the first process from running on the computing device before the first event is processed by the OS.

RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.14/474,143 filed on Aug. 31, 2014, which claims the benefit of priorityunder 35 USC 119(e) of U.S. Provisional Patent Application No.61/872,798 filed on Sep. 2, 2013. The contents of the above applicationsare all incorporated by reference as if fully set forth herein in theirentirety.

FIELD AND BACKGROUND OF THE INVENTION

The present invention, in some embodiments thereof, relates to maliciousactivity detection and/or handling and, more specifically, but notexclusively, to systems and methods of malicious activity detectionand/or handling based on event monitoring.

Conventional anti-virus (AV) applications attempt to prevent harmful ormalicious transmissions such as viruses and worms from infiltrating acomputing device. Typically, such applications operate on a networkgateway or host and monitor incoming traffic. Conventional AVapplications, whether server or host based typically rely on a so-calledfingerprint matching implementation. Such a fingerprint matchingmechanism aggregates a set of unique indicators, or signatures,exhibited by known malicious transmissions. The unique indicatorstypically represent portions of files which a particular AV vendor haspreviously identified as malicious, such as a signature copy and usedfrom a particular byte range in the file, or a hash computed over apredetermined portion of a file. The result is a signature valuesubstantially shorter that the entity (file) it represents yet which hasa high likelihood of matching a signature computed from another similarinstance of the file. A set of signatures of known malicioustransmissions is readily comparable to an incoming transmission todetermine malicious content in the incoming transmission.

During the last years system and methods for integration of behavioraland signature based security have been developed.

SUMMARY OF THE INVENTION

According to some embodiments of the present invention, there isprovided a computerized method of preemptive event handling. The methodcomprises monitoring, in run time at kernel level, a plurality of eventsof a plurality of processes executed by an operating system (OS) runningon a computing device, detecting, in run time, a first event of theplurality of events, the first event being performed by a first processof the plurality of processes on the computing device, classifying, inrun time, the first process as a malware in response to the detection ofthe first event, and preventing, in run time, the first process fromrunning on the computing device before the first event is processed bythe OS.

Optionally, the method further comprises continuously scoring each ofthe plurality of processes with a process score according to theplurality of events; wherein the detecting comprises calculating anupdated process score for respective the process score of the firstprocess in response to an analysis of the first event and wherein theclassifying is performed, in run time, in response to the updatedprocess score.

More optionally, the classifying is performed when the updated processscore exceeds a malware classification threshold.

Optionally, the preventing is performed in response to the classifying.

Optionally, the monitoring is performed by a kernel driver that channelsthe plurality of events for an analysis before the processing thereof.

More optionally, the classifying is performed by the kernel driver basedon the analysis.

Optionally, the preventing is performed by a kernel driver that filtersthe first event.

Optionally, the method further comprises filtering safe events from theplurality of events.

Optionally, the method further comprises preventing the execution of thefirst process on the computing device and deleting at least oneadditional event associated with the first process.

Optionally, the method further comprises initiating a kernel driverbefore the OS is loaded; wherein the monitoring is performed bycollecting the plurality of events in the kernel level in real time.

According to some embodiments of the present invention, there isprovided a system of reverting system data effected by a malware. Thesystem comprises a processor, a threat monitoring module which monitors,in run time at kernel level, a plurality of events of a plurality ofprocesses executed by an operating system (OS) running on a computingdevice and detects, in run time, a first event of the plurality ofevents, the first event being performed by a first process of theplurality of processes on the computing device, the threat monitoringmodule uses the processor to classify, in run time, the first process asa malware in response to the detection of the first event, and an eventdispatcher module which prevents, in run time, the first process fromrunning on the computing device before the first event is processed bythe OS.

Optionally, the event dispatcher module and the threat monitoring moduleare components of a kernel driver which operates in a kernel level.

Unless otherwise defined, all technical and/or scientific terms usedherein have the same meaning as commonly understood by one of ordinaryskill in the art to which the invention pertains. Although methods andmaterials similar or equivalent to those described herein can be used inthe practice or testing of embodiments of the invention, exemplarymethods and/or materials are described below. In case of conflict, thepatent specification, including definitions, will control. In addition,the materials, methods, and examples are illustrative only and are notintended to be necessarily limiting.

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS

Some embodiments of the invention are herein described, by way ofexample only, with reference to the accompanying drawings. With specificreference now to the drawings in detail, it is stressed that theparticulars shown are by way of example and for purposes of illustrativediscussion of embodiments of the invention. In this regard, thedescription taken with the drawings makes apparent to those skilled inthe art how embodiments of the invention may be practiced.

In the drawings:

FIG. 1 is a process of preventing the processing of events by anoperating system (OS) based on kernel level analysis of real timeevents, according to some embodiments of the present invention;

FIG. 2 is a schematic illustration of a preemptive event managementsystem of preventing the processing of events by an operating systembased on kernel level analysis of real time events in a computingdevice, according to some embodiments of the present invention; and

FIG. 3 is a schematic illustration of a block diagram depicting a flowof events via components of the malicious threat monitoring module andthe event dispatcher module, according to some embodiments of thepresent invention.

DESCRIPTION OF SPECIFIC EMBODIMENTS OF THE INVENTION

The present invention, in some embodiments thereof, relates to maliciousactivity detection and/or handling and, more specifically, but notexclusively, to systems and methods of malicious activity detectionand/or handling based on event monitoring.

According to some embodiments of the present invention, there areprovided methods and systems of predispatch filtering of event(s) whichtrigger the classification and/or scoring of a process as a malware,facilitating preemptive blocking of processes at detection time, beforethe dispatching of the triggering event(s). Optionally, a kernel leveldriver is used to capture and channel event(s) for processclassification by pre dispatching analysis, and to filter or allow theevent(s) according the process classification.

According to some embodiments of the present invention, processes arecontinuously scored with a malware level score. When the malware levelscore exceeds the malware level score, the dispatching of events of theprocess is immediately prevented. When the malware level score does notexceed the malware level score, the dispatching of events of the processis allowed. Optionally, a process is blocked and optionally deletedafter being classified as a malware. Optionally, the effect of theprocess on the computing device is identified and reverted, for exampleas described in U.S. Patent Provisional No. 61/869,775 filed Aug. 26,2013 which is incorporated herein by reference.

Before explaining at least one embodiment of the invention in detail, itis to be understood that the invention is not necessarily limited in itsapplication to the details of construction and the arrangement of thecomponents and/or methods set forth in the following description and/orillustrated in the drawings and/or the Examples. The invention iscapable of other embodiments or of being practiced or carried out invarious ways.

As will be appreciated by one skilled in the art, aspects of the presentinvention may be embodied as a system, method or computer programproduct. Accordingly, aspects of the present invention may take the formof an entirely hardware embodiment, an entirely software embodiment(including firmware, resident software, micro-code, etc.) or anembodiment combining software and hardware aspects that may allgenerally be referred to herein as a “circuit,” “module” or “system”.Furthermore, aspects of the present invention may take the form of acomputer program product embodied in one or more computer readablemedium(s) having computer readable program code embodied thereon.

Any combination of one or more computer readable medium(s) may beutilized. The computer readable medium may be a computer readable signalmedium or a computer readable storage medium. A computer readablestorage medium may be, for example, but not limited to, an electronic,magnetic, optical, electromagnetic, infrared, or semiconductor system,apparatus, or device, or any suitable combination of the foregoing. Morespecific examples (a non-exhaustive list) of the computer readablestorage medium would include the following: an electrical connectionhaving one or more wires, a portable computer diskette, a hard disk, arandom access memory (RAM), a read-only memory (ROM), an erasableprogrammable read-only memory (EPROM or Flash memory), an optical fiber,a portable compact disc read-only memory (CD-ROM), an optical storagedevice, a magnetic storage device, or any suitable combination of theforegoing. In the context of this document, a computer readable storagemedium may be any tangible medium that can contain, or store a programfor use by or in connection with an instruction execution system,apparatus, or device.

A computer readable signal medium may include a propagated data signalwith computer readable program code embodied therein, for example, inbaseband or as part of a carrier wave. Such a propagated signal may takeany of a variety of forms, including, but not limited to,electro-magnetic, optical, or any suitable combination thereof. Acomputer readable signal medium may be any computer readable medium thatis not a computer readable storage medium and that can communicate,propagate, or transport a program for use by or in connection with aninstruction execution system, apparatus, or device.

Program code embodied on a computer readable medium may be transmittedusing any appropriate medium, including but not limited to wireless,wireline, optical fiber cable, RF, etc., or any suitable combination ofthe foregoing.

Computer program code for carrying out operations for aspects of thepresent invention may be written in any combination of one or moreprogramming languages, including an object oriented programming languagesuch as Java, Smalltalk, C++ or the like and conventional proceduralprogramming languages, such as the “C” programming language or similarprogramming languages. The program code may execute entirely on theuser's computer, partly on the user's computer, as a stand-alonesoftware package, partly on the user's computer and partly on a remotecomputer or entirely on the remote computer or server. In the latterscenario, the remote computer may be connected to the user's computerthrough any type of network, including a local area network (LAN) or awide area network (WAN), or the connection may be made to an externalcomputer (for example, through the Internet using an Internet ServiceProvider).

Aspects of the present invention are described below with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems) and computer program products according to embodiments of theinvention. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer program instructions. These computer program instructions maybe provided to a processor of a general purpose computer, specialpurpose computer, or other programmable data processing apparatus toproduce a machine, such that the instructions, which execute via theprocessor of the computer or other programmable data processingapparatus, create means for implementing the functions/acts specified inthe flowchart and/or block diagram block or blocks.

These computer program instructions may also be stored in a computerreadable medium that can direct a computer, other programmable dataprocessing apparatus, or other devices to function in a particularmanner, such that the instructions stored in the computer readablemedium produce an article of manufacture including instructions whichimplement the function/act specified in the flowchart and/or blockdiagram block or blocks.

The computer program instructions may also be loaded onto a computer,other programmable data processing apparatus, or other devices to causea series of operational steps to be performed on the computer, otherprogrammable apparatus or other devices to produce a computerimplemented process such that the instructions which execute on thecomputer or other programmable apparatus provide processes forimplementing the functions/acts specified in the flowchart and/or blockdiagram block or blocks.

Reference is now made to FIG. 1 which is a process of preventing theprocessing of event(s) by an operating system (OS) based on kernel levelanalysis of real time events and optionally changes in the scores ofprocess(es), according to some embodiments of the present invention. Asused herein, event is defined as an action or occurrence detected by theOS or another event driven system and may be handled by the detectingsystem. Optionally, the monitored events includes are spontaneous eventsgenerated by the OS, for example a Window™ OS, and read from arespective system queue and optionally processed one after the other bythe event loop. Additionally or alternatively, the monitored eventsinclude posted events generated by Qt and/or an application and queuedby the Qt and/or processed by an event loop. Additionally oralternatively, the monitored events include sent events generated by Qtand/or by the application and sent directly to a target object.Additionally or alternatively, the monitored events are originated fromsources of events such as a user, a hardware device, and/or software.

The monitored events are optionally identified based on run timemonitoring at the kernel level, for instance as described below and/oras described in International Patent Application No. PCT/IL2013/050366,which is incorporated herein by reference. In some embodiments, eventsmay be detected by an event detection algorithm, using machine learning(ML) techniques, and aggregated to determine a score of process(es)executed on the monitored computing device 201, for instance asdescribed in International Patent Application No. PCT/IL2013/050366,which is incorporated herein by reference. In these embodiments, anevent which triggers the updating of a score of a process to an updatedscore that passes a malware classification threshold, for example athreshold that differentiate between safe software classification and amalware classification, is prevented from before dispatched and handledon the computing device 201. In such a manner, malware processes areblocked preemptively before dispatched when being detected and not afterbeing detected.

Reference is also made to FIG. 2, which is a schematic illustration of apreemptive event management system 200 of preventing the processing ofevents by an operating system (OS) based on kernel level analysis ofreal time events in a computing device 201 before the dispatchingthereof for handling, according to some embodiments of the presentinvention. The preemptive event management system 200 optionallysupports the process depicted in FIG. 1 when implemented in an OS basedcomputing device having one or more processors 205, for example aserver, a laptop, a desktop, a tablet, a Smartphone, Smart TV, a Carcomputer, a Smart watch, a virtual machine hosted in a network nodeand/or the like. The preemptive event management system 200 includes amalicious threat monitoring module 203 and an event dispatcher module204 hosted, either permanently and/or temporarily, in the computingdevices 201. As further described below, the malicious threat monitoringmodule 203 scores and/or classifies, in real time, processes which areexecuted by a target system running on the computing devices 201,identifies one or more suspected events of these processes, andclassifies respective process(es) accordingly. As further describedbelow, the event dispatcher module 204 filters events, prevents theprocessing of events which are used to classify one or more processesexecuted on the computing device 201 as malicious.

In use, a plurality of events, such as events tracing for windows (ETW),which are in queue for being dispatched and handled at the computingdevice 201 are monitored, optionally by the malicious threat monitoringmodule 203. Optionally, the malicious threat monitoring module 203channels events generated by the hosting computing device 201 for realtime processing. Optionally, the malicious threat monitoring module 203is implemented as or includes a kernel driver, for instance a driverthat channels and filters events as described below with reference toFIG. 3. The kernel driver is optionally initiated before the OS isloaded and collects events in the kernel level in real time, before thedispatching thereof for handling by the OS and/or any other software.Such a kernel driver optionally has a higher priority and moreauthorizations than a process executed by the OS, see for exampleInternational Patent Application No. PCT/IL2013/050366, which isincorporated herein by reference.

As shown at 101, monitored events are caught in the kernel level by thepreemptive event management system 200, for instance by an event catchermodule 302 described with reference to FIG. 3. As shown at 101, when thecaught event, also referred to as a new event, is found as relevant, forexample classified as a potential malware event and/or not filtered as asafe event, it is used for scoring one or more of the running processeswith malware risk scores in run time, as shown in 102. As shown at 104,when a process is scored above a certain malware classificationthreshold, for example as shown at 103, it is classified as a malwareand the event which has triggered the classification thereof as amalware is prevented from running on the computing device 201 (alsoreferred to as blocked) before it is processed by the OS. When noprocess is classified as a malware as an outcome of capturing the event,the event is allowed as shown at 105. Optionally, processes arecontinuously scored, for instance as long as the score does not exceed amalware classification threshold. Optionally, when a score of a processis changed without exceeding the certain malware classificationthreshold—as an outcome of a detection of a first event related to theprocess, the first event is processed. In such embodiments, when thescore of the process is changed to exceeding the certain malwareclassification threshold—as an outcome of a detection of a second eventrelated to the process, the second event is prevented (e.g. blocked). Insuch embodiments, an event that induces a score change that does nottrigger a classification of the process as a malware is not blocked andan event that induces a score change that triggers a classification ofthe process as a malware is blocked.

Optionally, as shown at 106, a reaction to the infection of thecomputing device 201 with the process is initiated. For example, theprocess may be deleted. Additionally or alternatively, the effect(s) ofthe process on the OS of the computing device 201 and/or on thecomputing device 201, are handled, for example as described in U.S.Patent Provisional No. 61/869,775 filed Aug. 26, 2013 which isincorporated herein by reference.

Reference is now made to FIG. 3, which is a schematic illustration of ablock diagram depicting a flow of events via components of the maliciousthreat monitoring module 203 and the event dispatcher module 204,according to some embodiments of the present invention. In theseembodiments, the malicious threat monitoring module 203 and the eventdispatcher module 204 are implemented as a kernel level driver, alsoreferred to as a filter driver 300, which computes the process scoresand filters events accordingly in real time, before the processing ofclassification triggering events, at the kernel level. As indicated in301, events constantly generated by the OS of the monitored computingdevice are monitored by an event catcher 203A of the malicious threatmonitoring module 203. The monitored events caught by the event catcher203A that passes these events to a scoring module 203B of the maliciousthreat monitoring module 203. The scoring module 203B scores accordinglythe processes, for instance as described above. The scores of theprocesses are optionally fed to the event dispatcher module 204 thateither allows the and/or prevents the running of an event before thedispatching and handling thereof based on the effect of that event tothe score(s) of the process(es) and/or based on the score(s) of theprocess(es) themselves before the event is executed. When a change in ascore of a process derived from a detection of event(s) does not lead toscoring a process above a malware classification threshold and thereforedoes not prompt the detection of a malware, the event dispatcher module204 outputs the event(s) as is. When a change in a score of a processderived from a detection of event(s) leads to a score above the malwareclassification threshold and therefore a malware detection is prompt,the event(s) are blocked before they cause damage.

An exemplary pseudocode of event filtering as described above is asfollows:

  While true {    getAction( )    if (retrievedActionIsRelevant)    {      computeMalScore( )       if (MalScore> MALWARE_THRESHOLD)         {              blockEvent( )             remediate( )         }       else          {             allowEvent( )          }   } }

The methods as described above are used in the fabrication of integratedcircuit chips.

The flowchart and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods and computer program products according to variousembodiments of the present invention. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof code, which comprises one or more executable instructions forimplementing the specified logical function(s). It should also be notedthat, in some alternative implementations, the functions noted in theblock may occur out of the order noted in the figures. For example, twoblocks shown in succession may, in fact, be executed substantiallyconcurrently, or the blocks may sometimes be executed in the reverseorder, depending upon the functionality involved. It will also be notedthat each block of the block diagrams and/or flowchart illustration, andcombinations of blocks in the block diagrams and/or flowchartillustration, can be implemented by special purpose hardware-basedsystems that perform the specified functions or acts, or combinations ofspecial purpose hardware and computer instructions.

The descriptions of the various embodiments of the present inventionhave been presented for purposes of illustration, but are not intendedto be exhaustive or limited to the embodiments disclosed. Manymodifications and variations will be apparent to those of ordinary skillin the art without departing from the scope and spirit of the describedembodiments. The terminology used herein was chosen to best explain theprinciples of the embodiments, the practical application or technicalimprovement over technologies found in the marketplace, or to enableothers of ordinary skill in the art to understand the embodimentsdisclosed herein.

It is expected that during the life of a patent maturing from thisapplication many relevant systems and methods will be developed and thescope of the term a module, a malware, and a processor, is intended toinclude all such new technologies a priori.

As used herein the term “about” refers to ±10%.

The terms “comprises”, “comprising”, “includes”, “including”, “having”and their conjugates mean “including but not limited to”. This termencompasses the terms “consisting of” and “consisting essentially of”.

The phrase “consisting essentially of” means that the composition ormethod may include additional ingredients and/or steps, but only if theadditional ingredients and/or steps do not materially alter the basicand novel characteristics of the claimed composition or method.

As used herein, the singular form “a”, “an” and “the” include pluralreferences unless the context clearly dictates otherwise. For example,the term “a compound” or “at least one compound” may include a pluralityof compounds, including mixtures thereof.

The word “exemplary” is used herein to mean “serving as an example,instance or illustration”. Any embodiment described as “exemplary” isnot necessarily to be construed as preferred or advantageous over otherembodiments and/or to exclude the incorporation of features from otherembodiments.

The word “optionally” is used herein to mean “is provided in someembodiments and not provided in other embodiments”. Any particularembodiment of the invention may include a plurality of “optional”features unless such features conflict.

Throughout this application, various embodiments of this invention maybe presented in a range format. It should be understood that thedescription in range format is merely for convenience and brevity andshould not be construed as an inflexible limitation on the scope of theinvention. Accordingly, the description of a range should be consideredto have specifically disclosed all the possible subranges as well asindividual numerical values within that range. For example, descriptionof a range such as from 1 to 6 should be considered to have specificallydisclosed subranges such as from 1 to 3, from 1 to 4, from 1 to 5, from2 to 4, from 2 to 6, from 3 to 6 etc., as well as individual numberswithin that range, for example, 1, 2, 3, 4, 5, and 6. This appliesregardless of the breadth of the range.

Whenever a numerical range is indicated herein, it is meant to includeany cited numeral (fractional or integral) within the indicated range.The phrases “ranging/ranges between” a first indicate number and asecond indicate number and “ranging/ranges from” a first indicate number“to” a second indicate number are used herein interchangeably and aremeant to include the first and second indicated numbers and all thefractional and integral numerals therebetween.

It is appreciated that certain features of the invention, which are, forclarity, described in the context of separate embodiments, may also beprovided in combination in a single embodiment. Conversely, variousfeatures of the invention, which are, for brevity, described in thecontext of a single embodiment, may also be provided separately or inany suitable subcombination or as suitable in any other describedembodiment of the invention. Certain features described in the contextof various embodiments are not to be considered essential features ofthose embodiments, unless the embodiment is inoperative without thoseelements.

Although the invention has been described in conjunction with specificembodiments thereof, it is evident that many alternatives, modificationsand variations will be apparent to those skilled in the art.Accordingly, it is intended to embrace all such alternatives,modifications and variations that fall within the spirit and broad scopeof the appended claims.

All publications, patents and patent applications mentioned in thisspecification are herein incorporated in their entirety by referenceinto the specification, to the same extent as if each individualpublication, patent or patent application was specifically andindividually indicated to be incorporated herein by reference. Inaddition, citation or identification of any reference in thisapplication shall not be construed as an admission that such referenceis available as prior art to the present invention. To the extent thatsection headings are used, they should not be construed as necessarilylimiting.

What is claimed is:
 1. A computerized method of preemptive eventhandling, comprising: monitoring, in run time at kernel level, aplurality of events of a plurality of processes executed by an operatingsystem (OS) running on a computing device; detecting, in run time, afirst event of said plurality of events, said first event beingperformed by a first process of said plurality of processes on saidcomputing device; classifying, in run time, said first process as amalware in response to said detection of said first event; andpreventing, in run time, said first process from running on saidcomputing device before said first event is processed by said OS.
 2. Themethod of claim 1, further comprising continuously scoring each of saidplurality of processes with a process score according to said pluralityof events; wherein said detecting comprises calculating an updatedprocess score for respective said process score of said first process inresponse to an analysis of said first event and wherein said classifyingis performed, in run time, in response to said updated process score. 3.The method of claim 2, wherein said classifying is performed when saidupdated process score exceeds a malware classification threshold.
 4. Themethod of claim 1, wherein said preventing is performed in response tosaid classifying.
 5. The method of claim 1, wherein said monitoring isperformed by a kernel driver that channels said plurality of events foran analysis before the processing thereof.
 6. The method of claim 5,wherein said classifying is performed by said kernel driver based onsaid analysis.
 7. The method of claim 1, wherein said preventing isperformed by a kernel driver that filters said first event.
 8. Themethod of claim 1, further comprising filtering safe events from saidplurality of events.
 9. The method of claim 1, further comprisingpreventing the execution of said first process on said computing deviceand deleting at least one additional event associated with said firstprocess.
 10. The method of claim 1, further comprising initiating akernel driver before said OS is loaded; wherein said monitoring isperformed by collecting said plurality of events in the kernel level inreal time.
 11. A system of reverting system data effected by a malware,comprising: a processor; a threat monitoring module which monitors, inrun time at kernel level, a plurality of events of a plurality ofprocesses executed by an operating system (OS) running on a computingdevice and detects, in run time, a first event of said plurality ofevents, said first event being performed by a first process of saidplurality of processes on said computing device, said threat monitoringmodule uses said processor to classify, in run time, said first processas a malware in response to said detection of said first event; and anevent dispatcher module which prevents, in run time, said first processfrom running on said computing device before said first event isprocessed by said OS.
 12. The system of claim 11, wherein said eventdispatcher module and said threat monitoring module are components of akernel driver which operates in a kernel level.
 13. A computerizedmethod of preemptive event handling, comprising: a computer readablestorage medium; first program instructions to monitor, in run time atkernel level, a plurality of events of a plurality of processes executedby an operating system (OS) running on a computing device; secondprogram instructions to detect, in run time, a first event of saidplurality of events, said first event being performed by a first processof said plurality of processes on said computing device; third programinstructions to classify, in run time, said first process as a malwarein response to said detection of said first event; and fourth programinstructions to prevent, in run time, said first process from running onsaid computing device before said first event is processed by said OS;wherein said first, second, third, and fourth program instructions arestored on said computer readable storage medium.